2.3 Physical SecurityPhysical security of the network elements forms the basis for the security architecture in networking.. Access control can also mean the way the nodes log into the n
Trang 1Vesa Kärpijoki Helsinki University of Technology Telecommunications Software and Multimedia Laboratory
Vesa.Karpijoki@hut.fi
Abstract
In ad hoc networks the communicating nodes do not necessarily rely on a fixed infrastructure, which sets new challenges for the necessary security architecture they apply In addition, as ad hoc networks are often designed for specific environments and may have to operate with full availability even in difficult conditions, security solutions applied in more traditional networks may not directly be suitable for pro-tecting them A short literature study over papers on ad hoc networking shows that many of the new generation ad hoc networking proposals are not yet able to address the security problems and they face Environment-specific implications on the re-quired approaches in implementing security in such dynamically changing networks have not yet fully realized
1 Introduction
An ad hoc network is a collection of nodes that do not need to rely on a predefined infras-tructure to keep the network connected Ad hoc networks can be formed, merged together
or partitioned into separate networks on the fly, without necessarily relying on a fixed
in-frastructure to manage the operation Nodes of ad hoc networks are often mobile, which also implicates that they apply wireless communication to maintain the connectivity, in which case the networks are called as mobile ad hoc networks (MANET) Mobility is not,
however, a requirement for nodes in ad hoc networks, in ad hoc networks there may exist static and wired nodes, which may make use of services offered by fixed infrastructure
Ad hoc networks may be very different from each other, depending on the area of appli-cation: For instance in a computer science classroom an ad hoc network could be formed between students’ PDAs and the workstation of the teacher In another scenario a group
of soldiers is operating in a hostile environment, trying to keep their presence and mission totally unknown from the viewpoint of the enemy The soldiers in the group work carry wearable communication devices that are able to eavesdrop the communication between enemy units, shut down hostile devices, divert the hostile traffic arbitrarily or impersonate themselves as the hostile parties As can obviously be seen, these two scenarios of ad-hoc networking are very different from each other in many ways: In the first scenario the mobile devices need to work only in a safe and friendly environment where the network-ing conditions is predictable Thus no special security requirements are needed On the other hand, in the second and rather extreme scenario the devices operate in an extremely
Trang 2hostile and demanding environment, in which the protection of the communication and the mere availability and operation of the network are both very vulnerable without strong protection
As ad hoc networking somewhat varies from the more traditional approaches, the security aspects that are valid in the networks of the past are not fully applicable in ad hoc networks While the basic security requirements such as confidentiality and authenticity remain, the
ad hoc networking approach somewhat restricts the set of feasible security mechanisms to
be used, as the level of security and on the other hand performance are always somewhat related to each other The performance of nodes in ad hoc networks is critical, since the amount of available power for excessive calculation and radio transmission are constrained,
as discussed e.g in [3] In addition, the available bandwidth and radio frequencies may be heavily restricted and may vary rapidly Finally, as the amount of available memory and CPU power is typically small, the implementation of strong protection for ad hoc networks
is non-trivial
The main objective of this paper is to give an overview of how the area of application affects the security requirements of ad hoc networks The focus of the discussion is in the security of routing From the requirements criteria for evaluating existing ad hoc net-working solutions are formed The evaluated proposals include the contemporary MANET drafts of the IETF Mobile IP is not discussed
The paper is structured into six sections as follows Section 1 introduces the reader to the background of the topic: ad hoc networks and their special characteristics Section 2
con-centrates on giving an overview of characteristics and areas of networking that are relevant
when designing security architecture for ad hoc networks Section 3 discusses security
as-pects and requirements of ad hoc networks from the viewpoint of the categories presented
in section 2 Section 4 presents security problems encountered when the traditional net-working approaches are applied in ad hoc netnet-working Section 5 gives an overview of the
contemporary solutions for the ad hoc networking and discusses the applicability of their
security architecture Finally, section 6 proposes future work possibilities for securing ad
hoc networks
2 Networking
2.1 Networking Infrastructure
Networking infrastructure forms the basis for the networks on top of which the higher-level
services can be built The core of the networking infrastructure is formed by the physical topology and the logical structure of the network, of which the latter is implemented and maintained with routing As discussed in [5], there are two approaches in networking:
flat or "zero-tier" infrastructure
hierarchical, multiple- or N-tier infrastructure.
In flat networks there are no hierarchies of nodes; all nodes have equivalent roles from the viewpoint of routing In contrary, in hierarchical networks there are nodes that have
Trang 3differ-ent roles than the others These cluster nodes are responsible for serving one cluster of the
actual low-tier nodes by controlling the traffic between the cluster and other clusters Fi-nally, the logical and physical topology of the network need not directly correspond to each
other; for instance a logically hierarchical routing fabric can be formed with physically flat
network topology and vice versa
2.2 Networking Operations
Most important networking operations include routing and network management.
Routing protocols can be divided into proactive, reactive and hybrid protocols, depending
on the routing topology [14]
Proactive protocols are typically table-driven and distance-vector protocols, thus
re-sembling many traditional protocols In proactive protocols the nodes periodically refresh of the existing routing information so that every node can immediately op-erate with consistent and up-to-date routing tables whenever there is data to be sent The pure proactive protocols do not suite ad hoc networks due to constant and heavy control traffic delivery between the nodes Especially in MANET networks there often needs to exist several alternate paths to the destination for reliability reasons, which causes frequent exchange of redundant control information
Reactive or source-initiated on-demand protocols, in contrary, do not periodically
update the routing information - it is propagated to the nodes only when necessary Many of the MANET routing protocols are on-demand driven for optimization pur-poses The disadvantage of the reactive protocols is that they create a lot of overhead when the route is being determined, since the routes are not necessarily up-to-date when required
Hybrid protocols make use of both reactive and proactive approaches They typically
offer means to switch dynamically between the reactive and proactive parts of the protocol For instance, table-driven protocols could be used between networks and on-demand protocols inside the networks or vice versa It seems that networks nei-ther the pure proactive nor the reactive approach is sufficient, due to the mentioned problems, so the hybrid approach may be in general the optimal choice
The protection of routing traffic is vital in insecure environments so that the identity or location of the communicating party is not revealed to unauthorized parties Routing in-formation must also be protected from attacks against authentication and non-repudiation
so that the origin of the data can be verified
Network management involves the configuration of the elements in the network such as clients, routers and key management servers The management can be done either
man-ually or automatically, depending on the case In addition to the initial configuration of
the network as it starts, network management most often also involves the exchange and use of dynamic configuration information and status data of the network while operating Network management data, as any piece of vulnerable information, must be protected from the viewpoint of confidentiality, authenticity and non-repudiation whenever the network is managed in a non-secure domain
Trang 42.3 Physical Security
Physical security of the network elements forms the basis for the security architecture in
networking Moreover, the principles of the networking approach highly affect the im-portance and implications of the physical security For instance, in web-based intranets
of today the firewalls, proxies and any other centralized elements between the secure and non-secure domains are single points of failure, thus the physical security of such elements must be ensured On the other hand, in the classroom example in the introduction, the physical security of the students’ and teacher’s devices is not an essential issue to be guar-anteed The exposure of a student’s information may only break the privacy of a single user, not the whole network as in the previous intranet example In centralized systems like in the classroom scenario the physical security of client nodes is thus not necessarily a critical issue, as the security of the system relies on the protection of a centralized service
2.4 Key Management
The security in networking is in many cases dependent on proper key management Key
management consists of various services, of which each is vital for the security of the networking systems The services must provide solutions to be able to answer the following questions:
Trust model: it must be determined how much different elements in the network can
trust each other The environment and area of application of the network greatly af-fects the required trust model Consequently, the trust relationships between network elements affects the way the key management system is constructed in network
Cryptosystems: available for the key management: in some cases only public- or
symmetric key mechanisms can be applied, while in other contexts Elliptic Curve
Cryptosystems (ECC) are available While public-key cryptography offers more
con-venience (e.g by well-known digital signature schemes), public-key cryptosystems are significantly slower than their secret-key counterparts when similar level of secu-rity is needed On the contrary, secret-key systems offer less functionality and suffer more from problems in e.g key distribution ECC cryptosystems are a newer field
of cryptography in terms of implementations, but they are already in use widely, for instance in smart card systems
Key creation: it must be determined which parties are allowed to generate keys to
themselves or other parties and what kind of keys
Key storage: in ad-hoc networks there may not be a centralized storage for keys.
Neither there may be replicated storage available for fault tolerance In ad-hoc net-works any network element may have to store its own key and possibly keys of other
elements as well Moreover, in some proposals such as in [19], shared secrets are
applied to distribute the parts of keys to several nodes In such systems the compro-mising of a single node does not yet compromise the secret keys
Key distribution: the key management service must ensure that the generated keys
are securely distributed to their owners Any key that must be kept secret has to be
Trang 5distributed so that confidentiality, authenticity and integrity are not violated For in-stance whenever symmetric keys are applied, both or all of the parties involved must receive the key securely In public-key cryptography the key distribution mecha-nism must guarantee that private keys are delivered only to authorized parties The distribution of public keys need not preserve confidentiality, but the integrity and authenticity of the keys must still be ensured
2.5 Availability
In [19], availability is defined as one of the key attributes related to the security of
net-works Availability guarantees that network services operate properly and tolerate failures, even when denial of service attacks threat the system Availability can be broken in sev-eral layers: in the network layer the attacker can modify the routing protocol e.g to be able to divert the traffic to invalid addresses or shut down networks In session security management level the adversary may be able to unnoticeably remove encryption in the session-level secure channel Finally, in application level the availability of the essential services such as key management service may be threatened
2.6 Access Control
Access control consists of the means to govern the way the users or virtual users such as
operating system processes (subjects) can have accesses to data (objects) In networking,
access control can e.g involve the mechanisms with which the formation of groups of nodes is controlled Only authorized nodes may form, destroy, join or leave groups Access control can also mean the way the nodes log into the networking system to be able to communicate with other nodes when initially entering the network
There are various approaches to the access control: Discretionary Access Control (DAC)
offers the means for defining the access control to the users themselves DAC allows the restriction of access to objects based on the identity of subjects or groups of subjects
Mandatory Access Control (MAC) involves centralized mechanisms to control the access
to objects with formal authorization policy DAC and MAC are often applied together so that DAC allows the system user subjects to control access of other subjects, while MAC controls and restricts the operation of DACs in the system in general This kind of approach prevents the system from failures generated by the actions of careless users
Finally, Role Based Access Control (RBAC) applies the concept of roles within the subjects
and objects In RBAC systems subjects can have several roles of which one is at a time active and therefore the accesses to objects are defined with respect to roles, not subjects
As stated in [4], RBAC does not necessarily involve the controlling of access to information
only, but also the restriction of access to functions within the system Thus roles are group-oriented sets of transactions associated to roles that the specific users can perform to given
objects For example, in banking applications using RBAC users with different roles may have the same set of accesses to the same objects as such, only with different limits in the amount of transferable money In DAC and MAC systems these kind of definitions could not be directly be applied
Trang 63 Criteria for Protecting Ad Hoc Networks
3.1 Physical Security
In ad hoc networks especially mobile nodes are typically significantly more susceptible to physical attacks than wired nodes in traditional networks However, the significance of the physical security in the overall protection of the network is highly dependent on the ad hoc networking approach and the environment in which the nodes operate For instance
in ad hoc networks that consist of independent nodes and work in a hostile battlefield the physical security of single nodes may be severely threatened Therefore in such scenarios the protection of nodes cannot rely on physical security In contrary, in the classroom example scenario the physical security of a node is an important issue to the owner of the node, perhaps for privacy reasons, but the breaking of the physical security does not affect the security of the system as such
3.2 Security of Network Operations
The security of ad hoc networks can be based on protection in the link or network layer.
In some ad-hoc solutions, the link layer offers strong security services for protecting con-fidentiality and authenticity, in which case all of the security requirements need not be
addressed in the network or upper layers For instance in some wireless LANs link layer
encryption is applied However in most cases the security services are implemented in higher layers, for instance in network layer, since many ad hoc networks apply IP-based routing and recommend or suggest the use of IPSec
Most MANET routing protocols seem to handle the rapid changes to the networking envi-ronment rather well, as stated in [19] As the routing protocol is responsible for specifying
and maintaining the necessary routing fabric for the nodes, the protocol must be protected
from any attack against confidentiality, authenticity, integrity, non-repudiation and avail-ability If confidentiality of the routing information is threatened, the adversary could be able to identify or locate nodes by eavesdropping the routing traffic they send and forward For military applications the confidentiality is one of the most important attribute, as dis-cussed in e.g [6], since without the protection of location, identity and communication the users of the ad hoc network are very vulnerable to all kinds of attacks On the other hand,
if availability of the network is broken, the users may not be able to carry out their mission
at all, as the communication links are broken or compromised
Authenticity and integrity of routing information are often handled in parallel, if public-key cryptosystems are in use, since digital signatures are applied for both confirming the origin of the data and its integrity Without any integrity protection the attacker is able
to destroy messages, manipulate packet headers or even generate false traffic so that the actions cannot be distinguished from hardware or network failures Authenticity of the routing data is essential so that nodes can confirm the source of new or changed routing information If authenticity is not guaranteed, the adversary could perform impersonation attacks, divert traffic to arbitrary destinations or even scramble the routing fabric so that connectivity is severely broken in the ad hoc network In worst case the attacker can perform his actions and leave the network without being regarded as a malicious party
Trang 7Non-repudiation is somewhat related to authenticity: routing traffic must leave traces so that any party sending routing information cannot later deny of having propagated the data
to other parts of the network
Network management data has similar security requirements as the routing traffic: the management information must be protected from disclosure, if it can contain vulnerable information such as status data that the nodes collect The protection of management traffic against tampering and impersonation attacks is perhaps even more important For exam-ple, if the status information the nodes send to the management system is not authenticated
or protected against integrity attacks, a malicious node could capture the valid informa-tion and send invalid status data instead This may lead to wrong assumpinforma-tions about the condition of the nodes within the management system and lead to the use of invalid con-figuration data, as a reaction to the observed changes to statuses of nodes Obviously, the impersonation attacks against the exchanged configuration information may have severe and unpredictable consequences - especially if the adversary can at the same time con-trol the sending of status information from the nodes Moreover, as in ad hoc networks the manual configuration of nodes may be impossible, the configuration data may have to
be exchanged dynamically and on-demand, thus making the management operations even more vulnerable to the discussed attacks In the worst case the adversary can arbitrarily configure any node and thus control the management system, which may interpret the ob-served inconsistencies as "natural" failures, not malicious actions generated by an active attacker
3.3 Service Aspects
Ad hoc networks may apply either hierarchical or flat infrastructure both in logical and physical layers independently As in some flat ad hoc networks the connectivity is
main-tained directly by the nodes themselves, the network cannot rely on any kind of centralized
services In such networks the necessary services such as the routing of packets and key
management have to be distributed so that all nodes have responsibility in providing the
service As there are no dedicated server nodes, any node may be able to provide the nec-essary service to another Moreover, if a tolerable amount of nodes in the ad hoc network crash or leave the network, this does not break the availability of the services Finally,
the protection of services against denial of service is in theory impossible In ad hoc net-works redundancies in the communication channels can increase the possibility that each
node can receive proper routing information Such approaches do, however, produce more overhead both in computation resources and network traffic The redundancies in the com-munication paths, however, may reduce the denial of service threat and allow the system
to detect malicious nodes from performing malicious actions more easily than in service provisioning approaches that rely on single paths between the source and destination
Availability is a central issue in ad hoc networks that must operate in dynamic and
un-predictable conditions The network nodes may be idle or even be shut down once for a while Thus the ad hoc network cannot make any assumptions about availability of specific nodes at any given time For commercial applications using ad hoc networks availability
is often the most important issue from the viewpoint of the clients The routing protocol
must guarantee the robustness of the routing fabric so that the connectivity of the network
is maintained even when threatened by rapid changes in topology or attackers Similarly,
Trang 8in the higher layers, the services must be able to rely on that the lower layers maintain the packet-forwarding services at any time Finally, many ad hoc networking protocols are
applied in conditions where the topology must scale up and down efficiently, e.g due to
network partitions or merges The scalability requirements also directly affect the scalabil-ity requirements targeted to various securscalabil-ity services such as key management In networks where the area of application restricts the possible size of the network, assumptions can be made about the scalability requirements of the security services as well
3.4 Security of Key Management
As in any distributed system, in ad hoc networks the security is based on the use of a proper key management system As ad hoc networks significantly vary from each other in many respects, an environment-specific and efficient key management system is needed
To be able to protect nodes e.g against eavesdropping by using encryption, the nodes must have made a mutual agreement on a shared secret or exchanged public keys For very rapidly changing ad hoc networks the exchange of encryption keys may have to be addressed on-demand, thus without assumptions about a priori negotiated secrets In less dynamic environments like in the classroom example above, the keys may be mutually agreed proactively or even configured manually (if encryption is even needed)
If public-key cryptography is applied, the whole protection mechanism relies on the se-curity of the private key Consequently, as the physical sese-curity of nodes may be poor, private keys have to be stored in the nodes confidentially, for instance encrypted with a system key For dynamic ad hoc networks this is not a wanted feature and thus the security
of the private key must be guaranteed with proper hardware protection (smart cards) or
by distributing the key in parts to several nodes Hardware protection is, however, never alone an adequate solution for preventing attacks as such In ad hoc networks a centralized approach in key management may not be an available option, as there may not exist any centralized resources Moreover, centralized approaches are vulnerable as single point of failures The mechanical replication of the private keys or other information is an inad-equate protection approach, since e.g the private keys of the nodes simply have then a
multiple possibility to be compromised Thus a distributed approach in key management
-for any cryptosystem in use - is needed, as proposed e.g in [19]
3.5 Access Control
The access control is an applicable concept also within ad hoc networking, as there usually exist a need for controlling the access to the network and to the services it provides
More-over, as the networking approach may allow or require the forming of groups in for instance
network layer, several access control mechanisms working in parallel may be needed In the network layer the routing protocol must guarantee that no authorized nodes are allowed
to join the network or a packet forwarding group such as the clusters in the hierarchical
routing approach For example in the battlefield example of the introduction the routing protocol the ad hoc network applies must control so that no hostile node can join and leave the group undetectable from the viewpoint of the other nodes in the group In application level the access control mechanism must guarantee that unauthorized parties cannot have accesses to services, for instance the vital key management service
Trang 9Access control is often related to the identification and authentication The main issue in
the identification and authentication is that the parties can be confirmed to be authorized
to gain the access In some systems, however, identification or authentication of nodes
is not required: nodes may be given e.g delegate certificates with which the nodes can gain access to services In this case actual authentication mechanisms are not needed, if the nodes are able to present adequate credentials to the access control system In some
ad hoc networks services may be centralized, while in other networks they are applied in
a distributed manner, which may require the use of different access control mechanisms Moreover, the required security level in access control also affects the way the access con-trol must be implemented If a centralized ad hoc networking approach with low security requirements is applied - as in the classroom example - the access control can be managed
by the server party with simple means such as user id - password scheme In ad hoc net-works that operate in more difficult conditions without any centralized resources as in the battlefield scenario, the implementation of access control is much more difficult Either the access to the network, its groups and resources must be defined when the network is formed, which is very inflexible The other possibility is to define and use a very com-plex, scalable and dynamic access control protocol, which brings flexibility but is prone to various kinds of attacks and it may even be impossible to apply properly and efficiently
4 Security Threats in Ad Hoc Networks
4.1 Types of Attacks
Attacks against ad hoc networks can be divided into two groups: Passive attacks typically
involve only eavesdropping of data Active attacks involve actions performed by adver-saries, for instance the replication, modification and deletion of exchanged data External
attacks are typically active attacks that are targeted e.g to cause congestion, propagate
incorrect routing information, prevent services from working properly or shut down them completely External attacks can typically be prevented by using standard security
mech-anisms such as firewalls, encryption and so on Internal attacks are typically more severe
attacks, since malicious insider nodes already belong to the network as an authorized party and are thus protected with the security mechanisms the network and its services offer Thus such malicious insiders who may even operate in a group may use the standard
se-curity means to actually protect their attacks These kind of malicious parties are called
compromised nodes, as their actions compromise the security of the whole ad hoc network.
4.2 Denial of Service
The denial of service threat either produced by an unintentional failure or malicious action,
forms a severe security risk in any distributed system The consequences of such attacks, however, depend on the area of application of the ad hoc network: In the classroom ex-ample any of the nodes, either the teacher’s centralized device or the students’ handheld gadgets, can crash or be shut down without completely destroying anything - the class can continue their work normally by using other tools On the contrary, in the battlefield sce-nario the efficient operation of the soldiers may totally depend on the proper operation of
Trang 10the ad hoc network their devices have formed If the enemy can shut down the network, the group may be separated into vulnerable units that cannot communicate with each other
or to the headquarters
The denial of service attack has many forms: the classical way is to flood any centralized resource so that it no longer operates correctly or crashes, but in ad hoc networks this may not be an applicable approach due to the distribution of responsibility Distributed denial of service attack is a more severe threat: if the attackers have enough computing power and bandwidth to operate with, smaller ad hoc networks can be crashed or congested rather easily There are however more serious threats to ad hoc networks: As discussed in e.g [9], compromised nodes may be able to reconfigure the routing protocol or any part of it so that they send routing information very frequently, thus causing congestion or very rarely, thus preventing nodes to gain new information about the changed topology of the network
In the worst case the adversary is able to change routing protocol to operate arbitrarily or perhaps even in the (invalid) way the attacker wants If the compromised nodes and the changes to the routing protocol are not detected, the consequences are severe, as from the viewpoint of the nodes the network may seem to operate normally This kind of invalid
operation of the network initiated by malicious nodes is called a byzantine failure.
4.3 Impersonation
Impersonation attacks form a serious security risk in all levels of ad hoc networking If proper authentication of parties is not supported, compromised nodes may in network layer
be able to e.g join the network undetectably or send false routing information masquer-aded as some other, trusted node Within network management the attacker could gain access to the configuration system as a superuser In service level, a malicious party could have its public key certified even without proper credentials Thus impersonation attacks concern all critical operations in ad hoc networks In the classroom example, however, the impersonation attack is not probable or even feasible If a malicious student impersonates himself as the teacher’s device, he may be able to access or destroy data that is stored in students’ or teacher’s devices or exchanged between them The benefit of the attack is small: it will most likely be noticed very quickly and the information he can manipulate
or have access to is not that crucial to make the attack worthwhile In the other example the implications of successful impersonation is much more severe (again): a hostile node controlled by the enemy may be able to join the ad hoc network undetectably and cause permanent damage to other nodes or services A malicious party may be able to masquer-ade itself as any of the friendly nodes and give false orders or status information to other nodes
Impersonation threats are mitigated by applying strong authentication mechanisms in con-texts where a party has to be able to trust the origin of data it has received or stored Most often this means in every layer the application of digital signature or keyed fingerprints over routing messages, configuration or status information or exchanged payload data of the services in use Digital signatures implemented with public-key cryptography are as such a problematic issue within ad hoc networks, as they require an efficient and secure key management service and relatively much computation power Thus in many cases lighter solutions like the use of keyed hash functions or a priori negotiated and certified keys and session identifiers are needed They do not, however, remove the demand for secure key